This post was second-chanced and the timestamp was moved ahead, so this was the first post, the second post arrived, then this one got the timestamp moved forward from the second chance pool.
Nobody in any kind of profession are immune to scamming. People have bad days, you could be hit by a novel scam, or your accounts/systems could already be partially compromised—allowing an attacker more intel than you would expect them to have.
I’d caution any security professional or engineer to think they’re too smart or savvy to avoid this stuff. Assume you will be compromised at some point and make damn sure you can recover accounts or assets that are important to you. Failing that, get insured or figure out ways to mitigate the worst of your liabilities.
Security pro here. I came pretty close to falling for the “this is the power company and we are cutting off your power unless you pay the bill in the next 45 minutes” scam. It was late in the day during winter, so I knew if it got cut off, my small children were going to have a miserable night; and I was on a crowded bus and unable to get out my laptop to log into the website. I also knew my credit card had recently been rotated and that maybe I had forgotten to update it on the power company’s site. So I had a couple reasons to believe the situation could be real. The only thing that tipped me off was that they suggested the best way to pay quickly was to go buy iTunes gift cards and read them the numbers over the phone. If these boneheads had a way to take credit cards over the phone I might have been sunk.
I'm happy enough to live in a country where this is considered so inhumane that this is very obviously a scam.
I understand why you'd (almost) fall for this. I think it is wrong to assume you never will. So put safeguards in place, it may be good to start thinking about how those could look like. I have no idea... I'm very afraid my parents will someday waste a lot of money on a scam like this. Or, you know, me.
Yeah, just cutting off power out of nowhere is way too hard for me to believe. You always first get a couple of warnings over the course of a couple of months.
I've got to admit, although I'm not a security expert at all, all of these scams sound way too unlikely for to me fall for. But then again, it's easy to think that when you're behind your desk reading an article called "how I got scammed". It's very different when they reach you when you're already stressed and confused. Who knows what I'd fall for. I hope I'll never find out.
If they had taken credit cards, and made fraudulent transactions, maybe they could have made a few purchases in retail stores, but as soon as you detected that fraud you’d call the bank and issue a chargeback - a hassle but you’re not out any money.
Also, banks are smart. If a single CC is being simultaneously used in multiple physical locations, that’s an immediate red flag for fraud. My bank also asks for OTPs when I make online payments at novel/obscure websites.
A scammer who got my full CC number couldn’t make a fake physical card since it’s chip-and-pin; or at least not use it at any mainstream retailer which would require a chip transaction. So they’d be limited to online ones. I suspect the bank might even be passed the IP or other fingerprint details when authenticating the transaction, resulting in OTP requirements when risk is detected (online transaction from foreign country when I live in my country).
As long as you have a couple of CCs (so you can still pay for stuff if one gets deactivated due to fraud), CC fraud will typically be detected by the bank and refunded, along with new card issuance.
My main CC company will also text me randomly asking if any of the last three charges was unauthorized, with their details. Sometimes the card is paused until I respond. This most typically happens when I’m traveling. If I text back that they’re all legitimate then the card works again immediately; if one is fraudulent then they get me on the phone to confirm the details and issue a new card.
The CC companies seem to be pretty good about not having false alarms when you travel any more (though if you’re traveling internationally, giving them a heads up helps avoid issues) - I believe it’s simultaneous use from multiple geos that trips fraud alarms.
RE chargebacks: stolen cards are often monetized these days with a scheme known as "triangle fraud". Here's how it works:
0) the scammer somehow acquires Person A's credit card info
1) the scammer sets up an online store on Amazon or similar and sells some popular item at a 20% discount (eg Nespresso pods)
2) the scammer doesn't actually have that item in stock, but when they get an order from Person B, they use the stolen card to place another order with a legitimate seller and set the destination address to Person B's address (basically drop-shipping but where the victim is paying for the cost of the goods being sold)
3) Now the scammer has received already-laundered clean money from an online transaction, and Person B got the product they wanted on-time and at a steep discount. They're happy, and certainly won't be complaining to their credit card company.
4) when Person A reports their card stolen and tries to perform a chargeback, the legitimate seller who acted as an unwitting drop-shipper ends up eating the cost.
DEFCON 27 had a talk on exactly this by Nina Kollars, which I suspect is where the Nespresso reference comes from. It's an excellent overview of the topic of triangle fraud. :)
Almost impressed at the cleverness of this all! Especially since, if it's done right, all parties see "business as usual" - and even if they DO suspect a scam, nobody has any incentive past a moral one to say anything.
Wait what? The person with the stolen credit card will report the fraudulent charge causing a chargeback for the seller - how is that “business as usual”? If the business is getting hit with chargebacks they sure as fuck have a financial motivation if not moral one to report it.
This relies on churn and hoping that a percentage of the fraudulent charges go unnoticed. But if it’s oversight then it’s not really that party “seeing” anything.
Someone noticing they are being scammed means that it's over anyways. What I'm saying is that, as the scam is happening, you are going to get at least 1 "legit" looking transaction where the cash is already in the scammer's hands. The person with the stolen credit card is often someone elderly or unable to notice major financial decisions, which makes them perfect marks for being scammed in the first place. What I'm saying is that, to all the parties involved except the scammer, there is no obvious signs that something fishy is going on.
Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good. Banks may or may not eat the loss depending on a number of factors, size being one of them: 4+digit amounts will likely never be reimbursed.
But yeah, CC are safer, it's one of the things you pay for (typically by mean of higher prices, as merchants pass on their CC fees to customers).
> Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good.
While this is true, it's also much harder to do a fraudulent payment. The card number itself is not enough; you actually have to go through the bank's payment system with its 2FA, and that's not something a thief can easily fake.
General rule that everyone should apply to phone calls from banks or utilities that they didn’t schedule (and I mean schedule, not just a call you’re expecting at a random time) in advanced is to get the name of company, hang up, search for their number and call back.
If you ever the caller ever placed you under and sort of pressure, or makes some sort of threat (E.g. your money is about to be stolen, your power will be cut off, the police will arrest you). Hang up immediately, once a scammer has got their claws into the panic centres of your brain, you’re a lost cause. The longer you’re on the phone, the more time they have to make you panicked.
I do this, but the operators get quite rude that I won't give my details right then and now. Afterwards getting back on to the original operator is almost impossible and I have to spend 30 minutes on hold, and department swapping, trying to find someone who knows why they were originally calling me.
Banks, and the like, need a system where you can call their (verifiable) number, and then enter a unique code that connects you back to the original operator that was calling you. It shouldn't be this hard to be safe. Especially when they continually preach to us about phone scams that we should be wary of.
> stay safe while also successfully transacting with clumsy companies whose legitimate policies seem like hoaxes
IMO, those sorts of companies are the root cause of why there's so many scams like this one today. In particular, I remember one time while renting a car, I got a call from the rental company. They said there was a problem but wanted me to verify my identity before they'd give me any details about what it was. Obviously, I refused, so I ended up going back in person to see what was going on and take care of it, and they verified the call was legitimate, but what their caller did is exactly what a scammer would try to do.
A couple of years ago, I had a fraudulent transaction on my credit card. I told my bank who cancelled my card and issued a new one.
A week later, I get a call from my bank, the person, who spoke with a strong indian accent I had trouble understanding, wanted to follow up on the fraudulent transaction to ensure the chargeback was done properly. He refused to give me any details until I had proven my identity by giving my name and passport number. I was immediately concerned so I refused to give those details. The CS on the phone seemed annoyed at that. I then contacted my bank relationship manager who had no idea if the call came from the bank or not so I decided then that it most likely was a scam.
Turns out a week later, my relationship manager told me that the call was actually legitimate. They really didn't understand why having someone from the bank call and ask me for my passport number was a problem in term of security.
Such a common and annoying issue. People take the stance of “I’m calling you, and I’m clearly trustworthy, why wouldn’t you share your info with me?”. For some reason the idea that someone might pretend to be them, and you have no way of checking, just doesn’t occur them as a real possibility. Despite the fact that fake calls from your bank is a common well known scam.
Reading or entering codes from SMS is really risky. If the message doesn't say who it's from in the body, there's no safe way to proceed.
Let's say you're trying to create an account on website A. It sends says you need to confirm your phone number and sends you an SMS and you need to give it the code. The SMS says "Your verification code is 395724". Do you type it in? There's no way to know whether that was legitimately sent by website A, or was sent by one of the 100 other websites you have accounts on and was sent due to website A trying to hack that account.
Even if it does say "395724 is your Facebook Password reset code", 90.5% of people won't pay attention to it saying "Facebook" and will just type the code into whatever website they're trying to sign up for.[1]
Scrolling through my 2FA SMS's, it does seem like every service is putting their name in the SMS and it usually comes before the code ("Your [service name] security code is ..."). A bunch also write "[service name] won't call you for this code" or "This code is for online entry only."
I do believe most people don't read this stuff, especially since most more recent phone OS's tend to offer to extract the code into the clipboard for you.
Uber has a 4 digit code SMS
and you just need tel. no and this code to get in. Someone has been trying to hack by sending dozens of them. There
is no option to change my password when I log in. I just removed the payment method.
1000 numbers and a botnet and just guess 1234 and youll probably get into an account. I wonder why Uber doesnt make
it more secure.
...this person is a security engineer? It is literally rule number 1 that you do NOT share MFA codes with anyone. Many sites even clearly say that when sending you the code!
This is also a common craigslist scam
Also how does a security engineer NOT know that phone numbers are super easy to spoof?!
I have a "business" VOIP account and I can just populate the "from" number with anything. My asterisk box is considered like a small carrier and my carrier will trust it. I think I could also announce numbers I do not own to get incoming traffic but I never tried. I use the caller it for redirection, when I call out from my fixed line, my mobile number is displayed, so people call me back on mobile.
Not to shame the author--I'm glad when people share the stories--but the thing that surprised me is that the author knew the "hang up and call the number on your card" advice but didn't seem to understand why it's common advice. The whole point is precisely that caller ID is completely unreliable. If caller ID were secure and authenticated the caller, there'd be no need to hang up.
A conman has all the time in the world to lay down a path for their marks to follow. They can hone their process over time and have the benefit of running the same scan over and over to improve it. A mark has a single moment to react to these well laid plans, a moment in which they can be distracted and not thinking in a security context. There is a scale of conman skill vs mark awareness but pretty much anyone could fall for a con given the right situation.
For those disparaging this person's job title of security engineer: an engineer dealing with network security of IP traffic is a different skillset from a security consultant advising on human involved phishing attempts & cons. The context also matters here. Being on your computer & working on network security, looking for threats, is a very different and incomparable situation from being in the park living your non-work life and getting a call from the bank.
> For those disparaging this person's job title of security engineer: an engineer dealing with network security of IP traffic is a different skillset from a security consultant advising on human involved phishing attempts & cons.
If this is so then maybe they should reconsider calling it out in their headline? Just saying.
> I knew that I should hang up and call the number on the back of my card
Everything after this, where the guy DIDN'T call the number on the card, is where it went wrong.
The guy went along with the social engineer who was calling him inbound, and used a SMS-based password token reset to get into his account. After that, it was game over.
You'd think that services should be aware of the security concerns in this inbound vs outbound distinction, but I've had cards where after calling the number on the card, customer service person actually instructed me to hang up and await a callback from them... Which almost always came from some other line with some other number...
OTOH in hindsight it could be because they don't trust caller id on their side and want to verify that the call is really made from/to a phone number that's on file.
Being targeted by unsolicited inbound calls or SMS is absolutely dangerous and I could possibly fall in that trap specially when I have some impending business with my bank (say, renewing my cards).
Subject to regulations, banks take all types of precautions to identify you. Would not regulation force them to comply with how can you identify your bank in one of these touchpoints?
My best suggestion would be to have something like reverse 2FA in the mobile banking app: the calling agent should be able to tell you the number you are seeing in a specific screen on your phone app.
Every time you call them, they send you a one time code via sms to "prove" it's you. Not perfect but better than asking what my birthdate is.
But they pull the same thing when they call me. I answer the phone and they say they are rep from ISP and ask if they're speaking with me and then send me an sms code to confirm... To the same number I've just answered the call from. It's textbook phishing call as of if they're trying to access my account but lack the one time code.
The first time I thought it was a phishing call.
The operator was surprised when I said "no" and requested what their extension is so I can call them on a number published on ISP website.
The answer I get, when asking for an extension, is "we can't take incoming calls" (I think this is supposed to hide the call centre locations?) and they say they can't provide a reference.
So then you call a number for the company that you know and the people have no idea who called or why, and then you think it was phishing ... until it becomes apparent it wasn't -- like a transaction is stopped.
Had a similar experience with what I recall was my gas provider - they called me because they needed a reading or similar, and starting asking identifying questions on the phone from me on a call they initiated.
How does anyone think this is a reasonable procedure? I had to politely decline giving the information out to them.
Reverse 2FA is too complex for the demographic most affected by these scams: the elderly and the unskilled. So it would likely provide very little returns on investment from the bank perspective.
This really needs some sort of well-thought-out legal mandate.
I have problem with that too. You get an SMS, try to copy paste the code but the UI for that is terrible and you select all sort of text around the code, paste it in and try to modify it.
Or you go back and forth between the website and the SMS and enter the code manually.
Android is really bad for "multi tasking". And there is a reason ppl share screenshots of articles rather than URLs ...
Both Android and iOS try their best to detect the code and prompt you to use it, but all these messages are different and nonstandard; some even include multiple code-looking strings, like a transaction reference for logging purposes. So both OSes fail at it very regularly.
Things would be easier if 2FA systems agreed on a common format that can be semi-automated better. Which again is probably something that will never happen unless authorities step in.
That makes you vulnerable to an employee who keeps a list of these magic phrases as he is legitimately calling people for the bank. Practically untraceable.
Given that without that kind of reverse password you are also vulnerable to a malicious employee, I'd say it's a simple solution that avoids issues like the ones suffered by the author of the article.
That would imply that it is harmless which it is not, as when an attacker would recite your magic phrase, you’d be much more inclined to trust him. And the attacker doesn’t have to be or know an employee, only an ex-employee.
For sure. But if I am expecting to receive a new one and a SMS pops up telling me something about the renewal one can get confused and assume the SMS is legitimate.
The scammers don't care how savvy you are, they just target that one iota of a second when you just blabber out that crucial information. Everyone has bad days, and worst moments of those bad days. And the scammers are hunting for that very special moment. If the stars align just right, you are in a world of pain.
I played along with one of these out of curiosity. I got the call while I was browsing the SF Costco by the Selecttech 552 dumbbells. The memory is vivid af. They claimed that money had been transferred out of my Coinbase account. I had a sum of money similar to what they claimed in USD in there in ETH so I was curious if they knew details about my account.
In the end, there was nothing clever about it. They just talked about how to reverse the payment etc. etc. and then wanted to send me a link to share screen or point my phone at my Coinbase screen or something. So if the link didn't download malware, there must be some sort of sequence of things they would have me do that would compromise me. Perhaps they'd got my password and they'd ask me to type in my 2 FA code and they'd just type it in first as it was visible? Anyway, at that point, the number of possibilities amplified and I wasn't prepared to play the game any more and besides I was at Costco and really didn't have my laptop, so I said "Okay, I'll just go do this at the website" and hung up over their protestations.
Honestly, it was pretty obviously scammy because they were trying to apply pressure tactics. I've never had anyone who serves me use pressure tactics on me.
There is a guy on Youtube who plays along and then gives the scammers access to a machine that he hosts on an isolated VM. Does all kinds of funny antics. I heard it was all fake for comedy purposes but I still like to hope its not
People say if you get a call from your bank, just ask what's the deal, hang up and call them back to make sure you talk to your bank. While for banks that may be true, a lot of companies outsource their call centers. I once called DHL for a question regarding a package that was on its way to me and the guy asked weird stuff like what my password for their internet portal was and the answers to the security questions to reset it. Of course I didn't answer anything of that and he was getting mad. I ended the call, double checked the number I just called (it was correct) and simply hit redial, ending up at another person that actually just answered my question without asking for all my credentials. After the call I contacted a higher tier level of customer service and it was simply waved off as "There was probably just a misunderstanding".
tl;dr even if you hang up incoming calls and call them back (or initially call them without getting called first) you might end up getting scammed.
I seem to be protected from most of these types of scams because I never answer the phone unless the number is known. If it is important they will leave a voicemail.
Yes caller ID can be spoofed, but it’s not as easy as it used to be, and a lot of spam call appears to have moved to overseas numbers.
I do the same, but this falls apart if you are expecting calls from numbers not known to you and missing them is painful. Some examples of this could include the IRS, your health insurance company, or a busy doctor's office.
That said, if you can get away with it I also find it to be pretty effective at avoiding interactions with fraudulent callers.
The prevalence of payments by card on American websites is often making me nervous. At least several websites know my card numbers, such as Amazon, Microsoft and Unity Asset Store, and they are able to make payments without my permission at any time. In Poland, paying by card is rare, and websites don't need to save your card details. Most payments are done through payment processors who send a payment request to the bank and have the bank website do the authentication part, usually through SMS or bank mobile app. So there isn't really an option to make a payment without your permission.
Credit card companies also have this capability. Mine in particular sends an SMS with a confirmation link that requires a password for online transactions. But certain types of CC transactions, such as subscription charges, typically occur in the background, when the user may not be available. There aren't a lot of confirmation schemes in place for that, you'd need a plain manual transfer or "push" mode for subscriptions without a CC or bank account on record.
Whenever I have had a 'fraud detected' type call from my bank, doing the right thing (phoning back using the number on the back of my card) has resulted in sitting on hold, then being passed around until they can find the right department . It would be great if they normalized and streamlined this, by giving you a reference you could type into phone banking to get back through to the same agent/someone that is up clued up on the issue.
> "I was suspicious, but the bank’s systems could easily be a wasteland archipelago of isolated micro-services that used different phone lines."
Anecdotally, I've found that the frustrating thing is that real banks/financial institutions tend to also commit a bunch of super sketchy (security wise) behaviors. I've encountered the following when applying for a credit card issued by a certain four letter bank:
Applied for the card online, but instead of getting a card in the mail, got a letter about "suspicious activity" on the card. Mind you, the card had yet to be issued to me and I didn't even know what the # was going to be so the card referred to in this letter may as well have been anything! Since it was my first card with them, I'm thinking "okay they probably mean that they want to re-confirm my ID and just used a weird template". So I call the phone # in the letter, making sure to first confirm that it matched one of the service numbers listed on the bank's website.
I get rerouted to a customer service agent after a bunch of automated prompts and the agent tells me they'll need to call me instead of me calling them. Weird, but, OK, maybe they want to confirm my phone number is real. So I hang up and promptly get a callback from a completely unrecognized number that was not listed on the bank's website (and turned up no useful search results). Again, sketchy, but hey maybe they have different outgoing phone lines.
The agent is then like "I need to confirm your identity for the credit card. Do you have some checking account with another bank?" Ok, again weird but whatever, so I go "yeah, I have an account with *** bank" "Ok we'll have you verify your account with *** bank". Then proceeds to _forward me a call they've made to the telephone banking service of *** bank_, which prompts me to enter stuff like my user ID and _password_.
Knowing how telephones (and authentication systems) work, I'm like "uhh what... no... I'm not comfortable entering anything here because you'd be getting my full login info for this other bank..." and subsequently had to work out a different way of doing the verification. All said and done, they did end up happy with the ID I provided and the card arrived a week or so later. But still, super sketchy interaction throughout...
tl;dr: A real bank's credit card dept. essentially tried to MITM my login credentials to another bank's phone banking service as a part of verifying id.
That's what's really chilling. To this day I wonder if the customer service person was being intentionally malicious or if the bank's verification protocol was just that bad.
I could totally imagine friends and family just typing in their credentials because they'd just think: (1) it was a bank so it must be safe (2) that they got "transferred" so they're communicating privately with the other bank, and/or (3) that a person surely could not figure out what numbers they entered into the phone.
“I’ve cancelled that charge and sent a new card out to you,” said Barry. “I’d like to enable enhanced security on your account, but I’ll need to text you a confirmation code first. Is that OK?”
I just had a bank’s fraud department send me an SMS code that I had to read back to them to verify myself to have my account unblocked from a fraud block that was incorrectly applied to my account. That’s Citi. So the banks are helping to create this problem.
Rather, my point was that, after solving the purported problem (the fraudulent transaction), moving on to enable some unspecified "security enhancement" was unnecessary and should have been suspect. Of course, there's no telling how someone would react in the heat of the moment.
What’s worse is when they just have your phone number and relentlessly try to scam call you to convince you to give them bank info they need to take your money
Seems like an impossible situation. Even if you held a gun to my head to compel me to call a special someone, how would I know their number? The age of the phone book, to look it up, died with the advent of the mobile phone.
Anyone can be a "security engineer" on paper if they get the necessary training... but that doesn't give you the personality that you need for the job. The author does seem to have the personality to some extent... so he should be fine... but I don't think he'll ever be among the best because he did trust someone enough to have a child with them... and he took his child to a public park. That level of trust will seriously hinder his professional development as a security engineer.
How does he know his wife isn't a corporate or Russian spy sent to exfiltrate his passwords and company data?
And now that he has a son, maybe a mortgage, a wife, a reputation - all of these things are liabilities that could be used against him. Better to never have anything at all than to open yourself to ransom.
A true security engineer:
- Is unbribeable(has no earthly desires and 100% loyalty to thing he is securing)
- Has nothing of value to ransom
- Has no fixed living address(it could be targeted by missile or drone strikes and needs to be defended 24/7 in case malicious agents plant spy bugs while you're out shopping)
- Makes his own computers by melting down and reforging raw sand, boron, copper, and aluminum. (You can't be certain the NSA didn't detour your new Amazon.com laptop and plant bugs in it.)
You can be a passable average one without doing all these, but you'll never be the best.
A security engineer dealing with network security of IP traffic is a different skillset from a security consultant advising on human involved phishing attempts & cons.
Sorry but the author doesn’t even agree with you. Yours would be a fair take if the author in didn’t multiple times state or imply that their “security engineer” title gave them some relevant expertise. - I mean it’s literally the rather click bait title “I’m a security engineer…”
As it stands we have some self designated security expert (who claims regular writes about topics on digital security) that doesn’t even know that Caller ID can be spoofed.
